Question

Case-IT Auditing

ABC has a sound change management process/policy for program code changes that includes the ability for users to request changes which are entered by users through a web based internally managed portal (CMP)ICS). User requests are then electronically routed to the appropriate IT and business personnel for review and approval to proceed to work the request. Once IT completes the coding revisions and performs unit and system testing, then users will test the system changes. Upon satisfactory testing the users will formally approve the movement of code to production using the web-based change portal. IT will then work with the business areas to move the code from the test environment to production at the agreed to time. All testing support is retained. ABC IT department maintains a downtime window on Sundays that allow time for code migrations. Additionally, this same downtime window allows for appropriate full backups to occur for all systems. During the week incremental backups occurs.

Question: What are the Controls and what are the GAPS

Answer 1

Controls:

IT general controls (ITGC) are the basic controls that can be applied to IT systems such as applications, operating systems, databases, and supporting IT infrastructure.

The objectives of ITGCs are to ensure the integrity of the data and processes that the systems support. The most common ITGCs are as follow:

• Logical access controls over applications, data and supporting infrastructure
• Program change management controls
• Backup and recovery controls
• Computer operation controls
• Data center physical security controls
• System development life cycle controls

GAPS:

The Assessor will:

• Review the compliance of your management system to the requirements of the appropriate
standard
• Document where your system complies / does not comply with the certification requirements
• Discuss what needs to be considered in the project plan and agree any corrective actions

A report will be raised:

• Confirming the areas of the standard that your organization is currently conforming
• Identifying any areas that are not conforming
• Provide the foundation for a project plan

This report will enable your business or organization to implement a plan to remedy these gaps in readiness for the mandatory initial audits for certification.

Hope this helps. :-)